{"id":9581,"date":"2021-03-18T08:28:29","date_gmt":"2021-03-18T07:28:29","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=9581"},"modified":"2022-05-30T16:05:23","modified_gmt":"2022-05-30T14:05:23","slug":"new-detection-rules-for-exchange-exploitation-activity","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2021\/03\/18\/new-detection-rules-for-exchange-exploitation-activity\/","title":{"rendered":"New Detection Rules for Exchange Exploitation Activity"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on” da_disable_devices=”off|off|off”][et_pb_row _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Last week, we’ve released a blog post<\/a> on how to detect HAFNIUM activity with the use of THOR Lite. Since our first set of rules, we’ve added several important new rules from fellow researchers and moved even more rules from our commercial set into the open source rule set.<\/p>\n

This alone would be reason enough to recommend another scan. But during the last three days, we’ve added a special group of rules (see below) and fixed some bugs in the code base of THOR that could have lead to false negative on some of the relevant log files (exclusion under certain conditions).<\/p>\n

We therefore recommend a signature update, an upgrade to THOR v10.5.12 (THOR TechPreview v10.6.4) and a new scan run to uncover traces of hacking activity using the newest detection rules.<\/p>\n

The following sections explain the extended coverage.<\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”2_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Compiled ASPX Files<\/h1>\n

We’ve added rules for the compiled ASPX files that often remain on a system even in cases in which an attacker has removed the original web shell.<\/p>\n

These are perfect rules to uncover actual post-exploitation attacker activity and not “just an exploitation” and a webshell drop.<\/p>\n

You can find more information on the creation and meaning of these forensic artefacts in this Trustwave blog post<\/a>.<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-17-at-11.11.36.png” title_text=”Screenshot 2021-03-17 at 11.11.36″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

(Source: Trustwave)<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-17-at-10.53.23.png” title_text=”Screenshot 2021-03-17 at 10.53.23″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-17-at-11.08.44.png” title_text=”Screenshot 2021-03-17 at 11.08.44″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”2_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Improved Generic Webshell Coverage<\/h1>\n

Arnim Rupp provided many improvements to its public rule set that detect all kinds of webshells based on generic characteristcs.\u00a0<\/p>\n

Frequent updates improved these rules and extended the coverage to include the newest unknown webshells mentioned in the most recent reports.\u00a0<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-17-at-11.18.13.png” title_text=”Screenshot 2021-03-17 at 11.18.13″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”2_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

More Filename IOCs<\/h1>\n

Over the last few days we’ve added many new filename IOCs mentioned in reports by ESET<\/a> and others.\u00a0<\/p>\n

The ESET report mentions and lists IOCs of 10 different APT groups exploiting the Exchange vulnerbility and leaving traces on compromised systems.<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-17-at-11.22.25.png” title_text=”Screenshot 2021-03-17 at 11.22.25″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-17-at-11.29.09.png” title_text=”Screenshot 2021-03-17 at 11.29.09″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”2_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Rule Improvements<\/h1>\n

We’ve improved several rules to extend their coverage.<\/p>\n

E.g. the rule that looked for POST requests to a single letter JavaScript file now looks for a certain pattern that includes exploitation attempts with the new Metasploit module.<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-17-at-11.26.51.png” title_text=”Screenshot 2021-03-17 at 11.26.51″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-17-at-11.28.19.png” title_text=”Screenshot 2021-03-17 at 11.28.19″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-17-at-11.35.24.png” title_text=”Screenshot 2021-03-17 at 11.35.24″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.17.4″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]Due to all the mentioned improvements and bugfixes, we recommend another scan run on your Exchange servers. The following commands upgrade THOR and its signature set.<\/p>\n

THOR
\nthor-util.exe upgrade<\/code><\/p>\n

THOR Lite
\nthor-lite-util.exe upgrade<\/code><\/p>\n

Remember these recommendations from the initial blog post:<\/p>\n

    \n
  • If you’ve installed Exchange on a drive other than C: use `–allhds`<\/li>\n
  • Use `–sigma` feature when scanning with THOR (not available in THOR Lite)<\/li>\n
  • Add the following exclusion to the file `.\/config\/directory-excludes.cfg` to skip all mailbox directories:<\/li>\n<\/ul>\n

    \\\\(MDBDATA|Mailbox|Mailbox Database)\\\\<\/code>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

    Last week, we’ve released a blog post on how to detect HAFNIUM activity with the use of THOR Lite. Since our first set of rules, we’ve added several important new rules from fellow researchers and moved even more rules from our commercial set into the open source rule set. This alone would be reason enough to recommend another scan. But during the last three days, we’ve added a special group of rules (see below) and fixed some bugs in the code base of THOR that could have lead to false negative on some of the relevant log files (exclusion under certain conditions). We therefore recommend a signature update, an upgrade to THOR v10.5.12 (THOR TechPreview v10.6.4) and a new scan run to uncover traces of hacking activity using the newest detection rules. The following sections explain the extended coverage.Compiled ASPX Files We’ve added rules for the compiled ASPX files that often remain on a system even in cases in which an attacker has removed the original web shell. These are perfect rules to uncover actual post-exploitation attacker activity and not “just an exploitation” and a webshell drop. You can find more information on the creation and meaning of these forensic […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[327,46,32,248],"tags":[],"class_list":["post-9581","post","type-post","status-publish","format-standard","hentry","category-alert","category-newsletter","category-thor","category-thor-lite"],"yoast_head":"\nNew Detection Rules for Exchange Exploitation Activity - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2021\/03\/18\/new-detection-rules-for-exchange-exploitation-activity\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/03\/18\/new-detection-rules-for-exchange-exploitation-activity\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/03\/18\/new-detection-rules-for-exchange-exploitation-activity\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"New Detection Rules for Exchange Exploitation Activity\",\"datePublished\":\"2021-03-18T07:28:29+00:00\",\"dateModified\":\"2022-05-30T14:05:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/03\/18\/new-detection-rules-for-exchange-exploitation-activity\/\"},\"wordCount\":1116,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"articleSection\":[\"Alert\",\"Newsletter\",\"THOR\",\"THOR Lite\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/03\/18\/new-detection-rules-for-exchange-exploitation-activity\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2021\/03\/18\/new-detection-rules-for-exchange-exploitation-activity\/\",\"name\":\"New Detection Rules for Exchange Exploitation Activity - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2021-03-18T07:28:29+00:00\",\"dateModified\":\"2022-05-30T14:05:23+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2021\/03\/18\/new-detection-rules-for-exchange-exploitation-activity\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New Detection Rules for Exchange Exploitation Activity - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2021\/03\/18\/new-detection-rules-for-exchange-exploitation-activity\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2021\/03\/18\/new-detection-rules-for-exchange-exploitation-activity\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2021\/03\/18\/new-detection-rules-for-exchange-exploitation-activity\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"New Detection Rules for Exchange Exploitation Activity","datePublished":"2021-03-18T07:28:29+00:00","dateModified":"2022-05-30T14:05:23+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2021\/03\/18\/new-detection-rules-for-exchange-exploitation-activity\/"},"wordCount":1116,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"articleSection":["Alert","Newsletter","THOR","THOR Lite"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2021\/03\/18\/new-detection-rules-for-exchange-exploitation-activity\/","url":"https:\/\/www.nextron-systems.com\/2021\/03\/18\/new-detection-rules-for-exchange-exploitation-activity\/","name":"New Detection Rules for Exchange Exploitation Activity - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2021-03-18T07:28:29+00:00","dateModified":"2022-05-30T14:05:23+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2021\/03\/18\/new-detection-rules-for-exchange-exploitation-activity\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/9581","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=9581"}],"version-history":[{"count":15,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/9581\/revisions"}],"predecessor-version":[{"id":13058,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/9581\/revisions\/13058"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=9581"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=9581"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=9581"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}